Information Security News | AI Aggregator

TeleMessage, a messaging app used by some US government officials, has been hacked, resulting in the theft of private messages. The hacker shared some of these messages with 404 Media, confirming their authenticity. However, no US government data was taken, including messages from former National Security Advisor Mike Waltz. The method of access remains unclear, and both TeleMessage and the US Government have not commented on the incident. A Signal spokesperson noted concerns about unofficial versions of their app.

A vulnerability in TeleMessage, a modified version of Signal used by U.S. government officials, has been exploited, allowing a hacker to extract archived messages and sensitive data. While messages from cabinet members were not compromised, the breach included contact information, backend login credentials, and data from U.S. Customs and Border Protection, Coinbase, and Scotiabank. The incident revealed that archived chat logs are not end-to-end encrypted between TeleMessage and its storage location.

A vulnerability in TeleMessage, a modified version of Signal used by U.S. government officials, has been exploited, allowing a hacker to extract archived messages and sensitive data. Although messages from cabinet members were not compromised, the breach included contact information, back-end login credentials, and data from U.S. Customs and Border Protection, Coinbase, and Scotiabank. The incident highlighted that archived chat logs are not end-to-end encrypted, raising significant security concerns.

A hacker accessed direct messages and contact information from TeleMessage, an Israeli company providing modified Signal versions to the US government. The archived chat logs were not end-to-end encrypted, exposing government officials' contact details, including Customs and Border Protection officials. Although no messages from Mike Waltz were compromised, the breach raised concerns about the security of communication services used by government officials. TeleMessage has since removed its website content.

TeleMessage, an Israeli company providing an unofficial Signal message archiving tool, has suspended services following a reported hack. The parent company, Smarsh, is investigating the incident with an external cybersecurity firm. A hacker claimed to have accessed archived messages and data, including government officials' contact information and back-end login credentials. While messages from Trump officials were not compromised, the breach potentially exposed links to U.S. Customs and Border Protection and other entities. Vulnerabilities in the app's source code were also identified.

An unidentified individual reportedly accessed US government communications from TeleMessage, a messaging app based on Signal, used by former national security advisor Michael Waltz. TeleMessage has temporarily suspended services while investigating a potential security incident. Screenshots of the compromised data included correspondence related to US Customs and Border Protection and Coinbase. Vulnerabilities in the app's source code, including hardcoded credentials, were also identified, raising security concerns.

The messaging app TeleMessage, used by former Trump administration official Mike Waltz, has suspended services after reports of a data breach. The company is investigating the incident with external cybersecurity support. Experts noted that TM Signal's archiving feature compromises the end-to-end encryption of the legitimate Signal app. TeleMessage apps are not FedRAMP approved, raising concerns about their security. Following the breach, TeleMessage removed content from its website and discontinued its archiving service.

A messaging service used by former National Security Advisor Mike Waltz has temporarily ceased operations following a reported hack. The hacker accessed data from TeleMessage, an Israeli company providing modified Signal versions for U.S. government archiving. Stolen data includes direct messages and group chats. TeleMessage, recently acquired by Smarsh, is investigating the incident and has suspended its services while engaging an external cybersecurity firm. All other Smarsh services remain operational.

Hackers have activated backdoors in Magento plugins, compromising nearly 1,000 online stores. The initial breaches occurred in 2019 when attackers accessed the servers of developers Magesolution, Meetanshi, and Tigren, modifying 21 plugins to include malicious code in the License.php file. This code remained dormant until April 2025, allowing attackers to execute commands on affected servers. Victims include a $40 billion multinational, and affected stores must conduct thorough checks for additional vulnerabilities.

Up to 1,000 e-commerce websites, including one linked to a $40 billion company, were compromised due to a supply chain attack involving 21 Magento extensions with a backdoor activated in April 2025 after six years. The backdoor, embedded in license check files from Tigren, Meetanshi, and MGS since 2019, allows remote code execution, enabling admin account creation and data theft. Sansec advises users to scan servers and restore from clean backups. Meetanshi acknowledged a breach, while Tigren and MGS denied any issues.

A supply chain attack has compromised hundreds of ecommerce websites due to 21 backdoored Magento extensions from Tigren, Meetanshi, and MGS. Discovered by Sansec, the malicious code, dormant since 2019, was activated in April 2025, affecting 500-1,000 sites, including one owned by a $40 billion corporation. The attackers inserted a PHP backdoor, allowing remote code execution and compromising sensitive data. Users are urged to secure their Magento stores immediately.

Hundreds of e-commerce sites were compromised in a supply-chain attack, affecting at least three software providers and potentially impacting over 1,000 sites. Malware executed on visitor browsers steals payment card information. The attack, which remained dormant for six years, allows full remote code execution on servers. Compromised software includes products from Tigren, Magesolution, and Meetanshi, with potential involvement from Weltpixel. Affected customers include a $40 billion multinational company.

Rami Khaled Ahmed, a 36-year-old Yemeni man, has been indicted for his role in the Black Kingdom ransomware operation, which affected approximately 1,500 systems in the U.S. and abroad from March 2021 to June 2023. Victims included a medical billing service in California and a ski resort in Oregon. The ransomware demanded $10,000 in Bitcoin. Ahmed faces charges of conspiracy, intentional damage to a protected computer, and threatening damage, each carrying a potential five-year prison sentence.

The U.S. Department of Justice charged Rami Khaled Ahmed, a Yemeni national, for deploying Black Kingdom ransomware against 1,500 systems, including U.S. businesses and schools, from March 2021 to June 2023. Ahmed exploited the ProxyLogon vulnerability in Microsoft Exchange Server. Victims were demanded to pay $10,000 in Bitcoin. If convicted, he faces up to five years per count. The case is under investigation by the FBI, with support from New Zealand Police.

Federal prosecutors indicted Rami Khaled Ahmed, 36, for deploying "Black Kingdom" ransomware against U.S. and global organizations, affecting around 1,500 systems from March 2021 to June 2023. Charged with conspiracy and intentional damage to protected computers, Ahmed exploited a Microsoft Exchange vulnerability. Victims include a medical billing service in California and a school district in Pennsylvania. The ransomware demanded $10,000 in Bitcoin. Ahmed remains at large in Yemen, which does not extradite to the U.S.

The Irish Data Protection Commission (DPC) fined TikTok €530 million for illegally transferring EEA user data to China, violating GDPR. The fine includes €485 million for unlawful data transfers and €45 million for lack of transparency. TikTok must comply within six months or face a suspension of data transfers. The DPC noted risks of Chinese authorities accessing this data. TikTok plans to appeal, citing its Project Clover initiative, which includes advanced privacy technologies.

Ireland's Data Protection Commission fined TikTok €530 million for violating GDPR by transferring EEA user data to China. The DPC stated TikTok failed to ensure equivalent privacy protections and did not adequately address concerns about potential access by Chinese authorities. The fine follows an investigation initiated in September 2021. TikTok must comply within six months and suspend data transfers to China. This is TikTok's second fine from the DPC, following a €345 million penalty in September 2023 for children's data violations.

TikTok has been fined €530m by Ireland's Data Protection Commission for failing to ensure that European user data sent to China would not be accessed by the Chinese government, violating GDPR. The DPC found TikTok did not adequately protect EEA user data from potential Chinese authority access. TikTok must suspend data transfers to China if compliance is not achieved within six months. The company plans to appeal the ruling and claims to have implemented safeguards under its “Project Clover” data security initiative.

The Irish Data Protection Commission fined TikTok €530 million for violating EU privacy rules by inadequately protecting EU users' data transferred to China. The DPC found TikTok failed to demonstrate compliance with GDPR, citing Chinese laws that do not meet EU standards. TikTok must suspend data transfers to China and align its operations with GDPR within six months. The DPC noted concerns about transparency and government access to data, while TikTok defended its compliance efforts and investments in data security initiatives.

A 25-year-old California man, Ryan Kramer, pleaded guilty to a cyberattack on Disney, stealing over 1.1 terabytes of confidential data by deploying malware disguised as an AI tool. Using the alias NullBulge, he tricked GitHub users into downloading the malware, gaining access to sensitive credentials. He threatened to publish stolen data unless a Disney employee cooperated. The data, including personal information and unreleased projects, was posted on BreachForums. Kramer faces up to 10 years in prison.

Ryan Mitchell Kramer, known as "NullBulge," pleaded guilty to illegally accessing Disney's internal Slack channels and stealing over 1.1 TB of data, including sensitive information. The breach prompted Disney to switch from Slack to Microsoft Teams. Kramer created a malicious AI image generation tool that, when downloaded, allowed him to access victims' computers. He faces a maximum of ten years in federal prison for two felony charges. The FBI is investigating additional victims linked to Kramer's attacks.

Ryan Mitchell Kramer, a 25-year-old from California, has agreed to plead guilty to accessing a computer and threatening to damage a protected computer after stealing over 1.1 TB of data from Disney. He used malware disguised as an AI art app to gain remote access to a Disney employee's computer, compromising confidential information and personal details. The incident led Disney to switch from Slack to Microsoft Teams. Kramer faces up to ten years in prison.

Ryan Kramer, a California man, pleaded guilty to charges related to a data breach at Disney, where over 1.1 TB of confidential files were exposed. He compromised an employee's workstation via a poisoned GitHub package posing as an AI tool, embedding a backdoor to harvest credentials. Claiming affiliation with the Russian group NullBulge, he demanded ransom and doxxed the victim when ignored. The FBI is investigating additional victims affected by Kramer's malicious project.

Ryan Mitchell Kramer, known as “NullBulge,” pleaded guilty to hacking Disney by compromising the ComfyUI tool for the AI image generator Stable Diffusion. He accessed a Disney employee's computer, downloaded 1.1 terabytes of data, and threatened to leak personal information. His actions were ideologically motivated against AI-generated art. Kramer faces two felony charges, each with a maximum five-year sentence. The FBI is investigating additional victims who downloaded the malicious file.

Ryan Mitchell Kramer, 25, pleaded guilty to hacking a Walt Disney Company employee by tricking them into installing a malicious AI image generation tool, ComfyUI_LLMVISION, which he published on GitHub. The tool contained code to steal sensitive information, including passwords and payment data, sending it to a Discord server he operated. In April 2024, the employee downloaded it, leading to unauthorized access to private Disney Slack channels and the theft of 1.1 terabytes of confidential data. The FBI is investigating.

The Justice Department reached an $8.4 million settlement with Raytheon, RTX, and Nightwing for failing to implement required cybersecurity controls on a military contract-related system from 2015 to 2021. This case is linked to the Biden administration's Civil Cyber-Fraud Initiative, aimed at holding contractors accountable for cybersecurity compliance. Officials emphasized the importance of adherence to cybersecurity rules, with potential severe consequences for non-compliance in military contracts.

On May 1, the Justice Department announced two cybersecurity cases: Raytheon settled for $8.4 million for violating federal cybersecurity controls on 29 Defense Department contracts, and Ukrainian national Artem Stryzhak was extradited for alleged involvement in Nefilim ransomware attacks targeting large companies. Experts emphasized the need for stronger compliance measures and highlighted the importance of addressing payment mechanisms in combating ransomware.

A Ukrainian citizen, Artem Stryzhak, has been extradited to the U.S. for allegedly using Nefilim ransomware to target large companies, causing millions in losses. Arrested in Spain in 2024, he was charged with conspiracy to commit fraud and extortion. The indictment details a scheme from summer 2020 to fall 2021, targeting firms with over $200 million in revenue. Victims spanned various industries, and the ransomware was customized for each target, with unique decryption keys provided upon payment.

A Ukrainian citizen, Artem Stryzhak, was extradited to the U.S. to face charges related to Nefilim ransomware attacks from late 2018 to late 2021, targeting high-revenue companies across the U.S., Canada, and Europe. Arrested in Spain in June 2024, he is accused of conspiracy to commit fraud and extortion, causing millions in losses. Stryzhak allegedly agreed to share 20% of extortion proceeds with Nefilim administrators. He is set to appear in the U.S. District Court for the Eastern District of New York.

Harrods has experienced a cyber-attack, prompting the shutdown of some systems while maintaining operations at its stores and website. The incident was detected earlier this week, and Harrods has restricted internet access as a precaution. No customer action is required, as no data breach is suspected. This follows similar attacks on Marks & Spencer and the Co-op, with the National Cyber Security Centre investigating potential links. Retailers are urged to enhance their cybersecurity measures in light of these incidents.

Harrods confirmed it was targeted in a cyberattack, becoming the third major UK retailer to report such incidents in a week, following Marks and Spencer (M&S) and Co-op. Harrods restricted access to some systems as a precaution but did not confirm if data was breached. M&S faced disruptions linked to the "Scattered Spider" group and DragonForce ransomware, while Co-op reported attempts to hack its network, prompting internal warnings about email and Microsoft Teams usage.

Harrods confirmed an attempted cyberattack, becoming the third major UK retailer targeted in under two weeks, following M&S and Co-op. The incident prompted the National Cyber Security Centre (NCSC) to assist all three retailers. Harrods restricted internet access but reported no disruption to customer services. Threat intel expert Will Thomas warned of a ransomware campaign targeting retailers. No group has claimed responsibility, and the nature of the attacks remains unclear.

Three UK retailers, including Marks & Spencer and Harrods, have recently experienced cyberattacks, likely linked to ransomware from ScatteredSpider. M&S faced significant outages, resulting in a 7% drop in share price. Co-Op also took down parts of its IT systems in response. Experts warn that these incidents highlight vulnerabilities in the retail sector, exacerbated by AI-driven attacks. Security leaders are urged to implement robust incident response plans and multi-factor authentication to mitigate risks.

Harrods experienced a cyber-attack on May 1, prompting its IT security team to restrict internet access while maintaining online sales. The nature of the attack remains undisclosed. This incident follows similar attacks on Marks and Spencer, which suffered a ransomware attack causing significant operational disruptions, and the Co-op, which had to shut down parts of its IT systems. The UK's National Cyber Security Centre is collaborating with affected organizations to address these threats and enhance security measures.

Harrods has reported an attempted cyberattack, joining other U.K. retailers like Marks & Spencer and the Co-op. The luxury store's IT security team took immediate action to secure systems, restricting internet access while ensuring shopping remained unaffected. Marks & Spencer faced significant disruptions, with its online services down and empty shelves reported. The National Cyber Security Centre is collaborating with affected organizations to address these incidents, highlighting the growing threat of ransomware.

British retailer Marks & Spencer is addressing a cyberattack that has disrupted its online order processing for nearly two weeks. The attack, reportedly linked to the hacking group Scattered Spider, has also prompted Harrods to restrict internet access as a precaution. Co-op has shut down some IT systems following a hack. London's Metropolitan Police is investigating the M & S incident. Experts warn that cybercriminals are exploiting vulnerabilities in interconnected supply chains, urging organizations to enhance their defenses.

Luxury retailer Harrods confirmed a cyberattack attempt, becoming the third UK retailer targeted this month, following Marks & Spencer and the Co-op Group. Harrods' internal security team restricted internet access to protect operations, and its physical and online stores remain operational. The Co-op Group reported unauthorized access, leading to a shutdown of remote services. Marks & Spencer is dealing with a ransomware attack causing significant operational disruptions. The connection between the incidents is under investigation.

The UK National Cyber Security Centre (NCSC) has issued a warning regarding ongoing cyberattacks affecting multiple UK retailers, including Harrods, Co-op, and Marks & Spencer. Harrods confirmed a cyberattack on May 1st, prompting network restrictions. Co-op reported attempts to hack its systems, leading to disabled VPN access. Marks & Spencer experienced a ransomware attack disrupting online services, linked to the threat group Scattered Spider. The NCSC is assisting affected organizations and urges all to enhance cybersecurity measures.

Three UK retailers, including Co-op, Marks & Spencer, and Harrods, have recently experienced cyberattacks, with ongoing impacts. Marks & Spencer reported a "cyber incident" in late April, leading to paused online orders and recruitment. Co-op instructed staff to monitor remote meeting security after shutting down parts of its IT systems. Harrods advised customers to maintain normal activities. A ransomware cartel, DragonForce, claimed responsibility, while Scattered Spider was linked to Marks & Spencer's attack, which reportedly began in February.

Recent cyber-attacks on major UK retailers, including Marks and Spencer, Co-op, and Harrods, have prompted a government response due to concerns over customer data and IT system integrity. The National Cyber Security Centre (NCSC) is investigating potential links and tactics used, such as social engineering. Chancellor Pat McFadden will emphasize the need for enhanced cybersecurity measures, including multi-factor authentication and better threat management, as part of upcoming legislation to strengthen national defenses.

The National Cyber Security Centre (NCSC) warns that hackers are impersonating IT help desk staff to breach British retailers, including Marks & Spencer and Co-op. The NCSC advises organizations to review password reset processes and authentication methods, particularly for senior employees. Social engineering tactics are highlighted, with recommendations for additional security measures, such as using code words for verification. The attacks are linked to a group known as Scattered Spider, known for similar tactics.

UK Cabinet Office Minister Pat McFadden has warned businesses to prioritize cybersecurity following recent cyberattacks on major retailers like Marks & Spencer and Harrods. M&S had to disable online orders and suspend contactless payments due to a breach. The Co-op Group also restricted IT systems in response to an attempted attack. Investigations are underway by the National Cyber Security Centre and Metropolitan Police. McFadden will discuss the Cyber Security and Resilience Bill to enhance IT provider obligations and incident reporting.

Following recent cyberattacks on UK retailers Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) issued security guidance for businesses. M&S faced a DragonForce ransomware attack disrupting services, while Co-op confirmed significant customer data theft. NCSC recommends implementing multi-factor authentication, auditing admin accounts, and reviewing helpdesk procedures to prevent social engineering attacks. The agency emphasizes the need for heightened cybersecurity awareness among all organizations.

Harrods experienced a cyberattack, prompting the luxury retailer to restrict internet access at its sites. The attack follows similar incidents involving Co-op and Marks & Spencer, raising concerns about a potential common threat actor, possibly Scattered Spider. While Harrods has not confirmed any data breach, experts emphasize the need for proactive cybersecurity measures and robust incident response plans. The incident highlights the increasing sophistication of cyber threats, particularly targeting high-value retailers.

Microsoft is transitioning to a passwordless approach for new accounts, requiring users to utilize more secure methods like passkeys, push notifications, and security keys by default. This initiative includes a redesigned sign-in window for a smoother passwordless experience. Existing accounts can opt to remove their passwords. Microsoft has renamed “World Password Day” to “World Passkey Day” and reports nearly a million passkeys registered daily, with a 98% sign-in success rate for passkey users compared to 32% for passwords.

Microsoft has made passkeys the default authentication method for new accounts, enhancing security by eliminating passwords. New users can sign up without a password and existing users can remove theirs. The sign-in process now prioritizes passwordless methods, using one-time codes or biometric authentication. This shift aligns with industry trends towards passwordless security, supported by the FIDO Alliance, which aims to improve credential interoperability and has launched a Payments Working Group for payment authentication solutions.

Microsoft has announced that all new Microsoft accounts will be "passwordless by default" to enhance security against password attacks. This change follows the rollout of updated sign-in experiences optimized for passwordless authentication. New users will have various passwordless options and can delete their passwords if desired. Microsoft aims to promote passkeys, which utilize biometric authentication, reducing password use by over 20%. The company is a board member of the FIDO Alliance, advocating for passwordless standards.

Microsoft will make all new accounts passwordless by default, promoting secure authentication via passkeys, push notifications, and security keys. Existing users can delete their passwords for enhanced security. The company reported over 7,000 password attacks per second last year, emphasizing the need for this shift. Passkeys offer a faster login experience, and over a million are registered daily. An updated login interface prioritizing passwordless methods was introduced in March 2025, coinciding with World Password Day.

Microsoft has made passwordless sign-ins the default for new accounts, promoting passkeys and two-factor authentication. Users will no longer create passwords but can opt for passwordless methods like security keys. Existing users can delete their passwords in favor of these options. Microsoft reported 7,000 password attacks per second last year and anticipates increased cyber threats against accounts still using passwords. The shift aims to reduce phishing risks and enhance security.

Microsoft is transitioning to "passwordless by default" for new accounts, promoting passkeys as an alternative to passwords. Existing users will be prompted to enroll in passkeys upon their next login. This initiative aims to reduce the security risks and management burdens associated with passwords. However, users must install the Microsoft Authenticator app to fully utilize passkeys, as other authentication apps are incompatible, potentially limiting the security benefits of the new system.

A new malware campaign targets WordPress sites with a fake security plugin named "WP-antymalwary-bot.php," enabling remote admin access for attackers. Discovered in January 2025, it features remote code execution, malware propagation, and ad injection. Variants include addons.php and wpconsole.php. The malware recreates itself via a malicious wp-cron.php file. Additionally, a web skimmer campaign and carding attacks on Magento sites have been reported, involving JavaScript malware and deceptive CAPTCHA verifications.

Security researchers at Wordfence discovered a sophisticated malware strain posing as a legitimate WordPress security plugin, identified during a site cleanup on January 22, 2025. The malware, under names like WP-antymalwary-bot.php, enables remote code execution, privilege escalation, and JavaScript injection. It communicates with a Cyprus-based command-and-control server, maintaining persistence by altering the wp-cron.php file to reinstall itself and includes a mechanism to hijack administrator accounts.

Security researchers from Wordfence uncovered a new WordPress malware disguised as an anti-malware plugin, named ‘WP-antymalwary-bot.php’. Detected in late April, it allows attackers to persist on websites, hide from dashboards, and execute code remotely. The malware can report to a Command & Control server and spread to other directories. Wordfence suspects the infection stemmed from compromised hosting accounts or FTP credentials. The C2 server is located in Cyprus, and AI was used to enhance the malware's legitimacy.

Apple has notified users in 100 countries, including journalist Cyrus Pellegrino and activist Eva Vlaardingerbroek, about targeted spyware attacks. Pellegrino's device was linked to Paragon spyware, with indications of targeting critics of Italy's government. Apple stated it has "high confidence" in its findings, emphasizing the sophistication of mercenary spyware. The company has issued threat notifications in over 150 countries since 2021, highlighting the severe risks posed by such digital threats.

Apple has issued threat notifications to individuals potentially targeted by mercenary spyware attacks, particularly those in high-risk occupations like politicians and journalists. The complexity and resource intensity of these attacks suggest involvement from state actors. Apple has been sending similar notifications since 2021, alerting individuals in over 150 countries about ongoing global threats. The nature of mercenary spyware makes it difficult to detect and prevent, as it typically focuses on a small group of victims.

SonicWall confirmed active exploitation of two patched vulnerabilities in its SMA100 Secure Mobile Access appliances. CVE-2023-44221 (CVSS 7.2) allows command injection by authenticated attackers, while CVE-2024-38475 (CVSS 9.8) permits unauthorized file access, potentially leading to session hijacking. Affected models include SMA 200, 210, 400, 410, and 500v, with fixes released on December 4, 2023, and December 4, 2024. Customers are urged to check for unauthorized logins.

On April 29, Sonic Wall confirmed exploitation of two vulnerabilities in its SMA 100 Series remote access devices, including a critical flaw (CVE-2024-38475) rated 9.8, allowing path traversal attacks. The second vulnerability (CVE-2023-44221) is rated 7.2 and permits OS command injection. Experts recommend immediate patching, implementing micro-segmentation, and enhancing monitoring for anomalous activity to mitigate risks associated with these vulnerabilities.

A large-scale phishing campaign has targeted Russian companies using the DarkWatchman malware, affecting sectors like media, finance, and energy. The financially motivated group Hive0117 is linked to these attacks, which have escalated since September 2023. DarkWatchman, a JavaScript-based remote access trojan, can keylog and evade detection. Additionally, a new backdoor called Sheriff has targeted Ukraine's defense sector, utilizing a news portal for distribution and capable of data exfiltration and command execution.

Telecommunications, energy, finance, media, biotechnology, and tourism sectors in Russia have faced attacks from an updated version of DarkWatchman malware, part of the Hive0117 phishing campaign. This campaign, active since February 2022, uses malicious emails with password-protected archives to deploy malware enabling keystroke logging and data exfiltration. The origins of Hive0117 are unclear, but it has previously spoofed organizations in multiple countries. AI and social engineering techniques are increasingly used in investment fraud schemes in Russia.

North Korean attackers have infiltrated various Fortune 500 firms in sectors including telecommunications, energy, finance, media, biotechnology, and tourism in Russia. This is part of a Hive0117 phishing campaign utilizing a new version of DarkWatchman malware. The attacks are reported to be unrelated to the ongoing Russia-Ukraine conflict, as stated by The Record, a cybersecurity news site by Recorded Future.

Ascension healthcare disclosed a data breach affecting millions, linked to a December 2024 incident involving a former business partner. Sensitive PII, including names, addresses, SSNs, and health data, was stolen due to a vulnerability in third-party software. This follows a May 2024 ransomware attack impacting six million patients. Ascension is offering two years of free identity monitoring services to those affected. The breach may be connected to the Cl0p ransomware attack, which targeted multiple organizations.

Ascension Health reported a data breach involving patient information due to a compromise of a former business partner's third-party software in December. Data potentially exfiltrated includes names, birthdates, addresses, phone numbers, email addresses, Social Security numbers, race, gender, and clinical details from patients in Alabama, Indiana, Michigan, Tennessee, and Texas. Ascension clarified that its own systems were not involved and is offering two years of free identity monitoring to affected individuals.

Ascension Health reported a data breach affecting over 100,000 individuals, with 114,692 confirmed in Texas. The breach occurred on December 5, 2024, due to a vulnerability in third-party software used by a former business partner. Hackers accessed demographic data, Social Security numbers, clinical information, and details about medical visits. Ascension's prior ransomware attack in 2024 compromised 5,599,699 records, raising concerns about ongoing vulnerabilities in the healthcare sector.

The Co-op retail chain in the UK announced an attempted cyberattack, prompting a proactive shutdown of part of its IT systems. The attack was detected at least three days prior and follows a similar incident affecting competitor Marks & Spencer. While some back-office and call center services were impacted, stores and home deliveries continued without interruption. There is currently no evidence of data compromise, but disruptions may affect stock tracking. The Co-op has over 50,000 employees and reported significant profits recently.

U.K. retail giant The Co-operative Group is experiencing disruptions due to an attempted cyberattack, prompting the shutdown of some IT systems. A spokesperson confirmed proactive measures were taken to safeguard systems, affecting back office and call center functions. The nature of the attack remains unclear, and it is unknown if it was successful. The Co-op is collaborating with the National Cyber Security Centre but has not disclosed details to the Information Commissioner’s Office.

Co-op shut down its IT systems following an attempted hack, which had a minor impact on back-office and call center services. All stores and funeral homes continued operations normally. The incident occurred shortly after a cyber-attack on M&S, attributed to the Scattered Spider gang. Experts emphasize the need for retailers to enhance resilience against such threats, highlighting vulnerabilities in legacy systems and the importance of proactive security measures to protect customer data and business operations.

British supermarket chain Co-op shut down parts of its IT systems following an attempted intrusion, affecting back office and call center services. A spokesperson confirmed unauthorized access attempts but did not disclose if they were successful. While some services were disrupted, stores and other operations continued normally. This incident follows a cyberattack on Marks & Spencer, attributed to "Scattered Spider," which led to the suspension of online orders due to the deployment of DragonForce ransomware.

British supermarket Co-Op has shut down parts of its IT systems in response to an attempted cyberattack, taking proactive measures to defend against unauthorized access. The incident had a small impact on the back office and call center, with all stores and funeral homes continuing operations. This follows a ransomware attack on Marks and Spencer that disrupted services. The scope of Co-Op's incident and its attack vector remain unclear, and the Metropolitan police is investigating the M&S attack.

Co-op is currently managing a cyber attack, prompting staff to keep cameras on during remote meetings to verify identities and prevent unauthorized access. The company has shut down parts of its IT systems, restricting remote access and advising against sharing sensitive information. Meanwhile, Marks & Spencer is facing a ransomware attack linked to the DragonForce service, with the Metropolitan Police investigating. The National Cyber Security Centre is advising retailers to remain vigilant.

Major UK retailer The Co-operative Group (Co-op) shut down certain IT systems following a cyberattack, shortly after Marks & Spencer faced a suspected Scattered Spider hack. While store operations continued, some back-office and call center services were minimally affected. Experts highlighted the incident as a sign of inadequate cyber resilience, urging retailers to adopt proactive resilience engineering in their IT strategies to prevent operational disruptions from intrusions.

Hackers known as DragonForce have claimed to have stolen a significant amount of customer and employee data from Co-op, asserting that the breach is more serious than the company has acknowledged. They allege to possess information on 20 million members, including names, addresses, and membership card data. Co-op has confirmed unauthorized access but downplayed the impact. Following the breach, staff were instructed to enhance security measures during internal communications.

Co-op confirmed a significant data theft following a cyberattack attributed to DragonForce ransomware, affecting many current and past customers. The breach, believed to have occurred on April 22, involved social engineering tactics to reset an employee's password, leading to the extraction of personal data, including names and contact details, but not financial information. Co-op is working with Microsoft DART and KPMG to rebuild systems. DragonForce claims to possess data from 20 million members and has warned Co-op's executives about ongoing threats.

Co-op has confirmed a cyberattack by "DragonForce," resulting in the theft of customer data affecting up to 20 million individuals. The hackers claimed to have accessed personal information, including names, contact details, and membership card data, but not passwords or financial information. Co-op advised customers to change their passwords and remain vigilant against potential phishing attacks, especially those using QR codes. This incident follows similar attacks on other UK retailers.

A China-aligned APT group, "TheWizards," exploits the IPv6 Stateless Address Autoconfiguration (SLAAC) feature to conduct adversary-in-the-middle attacks, hijacking software updates to install Windows malware. Active since 2022, they target entities in the Philippines, Cambodia, UAE, China, and Hong Kong. Their tool, "Spellbinder," sends spoofed Router Advertisement messages to reroute traffic through attacker-controlled servers, ultimately deploying a backdoor named "WizardNet." Organizations are advised to monitor IPv6 traffic or disable it if unnecessary.

Chinese APT group TheWizards has exploited IPv6 SLAAC for adversary-in-the-middle attacks, utilizing the Spellbinder tool for spoofing and malicious software updates. Targeted networks include gambling entities in China, Hong Kong, Cambodia, the Philippines, and the UAE. The attack involved distributing a ZIP file with executables and DLLs, leading to the deployment of the WizardNet backdoor. The group also employs the DarkNights tool, linked to Sichuan Dianke Network Security Technology.

Homeland Security Secretary Kristi Noem, at RSAC, criticized CISA's focus on disinformation and called for a realignment of the agency to prioritize cybersecurity. She announced a review of CISA, suggesting a shift towards technical assistance for state and local governments. Noem emphasized reducing federal overreach, fostering private sector innovation, and establishing secure communications. She confirmed the closure of DHS’s Science and Technology Directorate, advocating for partnerships with academia for cybersecurity research and workforce development.

Homeland Security Secretary Kristi Noem announced plans to refocus the Cybersecurity and Infrastructure Security Agency (CISA) on its core mission of combating cyber threats and protecting critical infrastructure. She criticized CISA for overstepping its mandate and emphasized the need for secure technology development. Noem acknowledged the threat from Chinese hackers targeting small businesses and local governments. The Trump administration aims to reduce regulatory burdens and enhance state-level cyber resilience while addressing job cuts at CISA.

The RSAC 2025 highlighted the evolving cybersecurity landscape, emphasizing the uncertainty surrounding CISA's future due to leadership changes and budget pressures. This instability may delay critical initiatives and undermine confidence in centralized guidance. AI's role has shifted to operational urgency, with concerns about autonomous systems. Nation-state attacks are becoming bolder and harder to attribute. The private sector must enhance defenses and support CISA's mission through transparency and collaboration to ensure resilience in cybersecurity.

Concerns were raised at the RSAC 2025 Conference regarding CISA's ability to fulfill its cybersecurity mission amid workforce cuts. Homeland Security Secretary Kristi Noem emphasized the need to focus on protecting federal networks and critical infrastructure. Congressional staff highlighted the importance of retaining CISA personnel to maintain institutional knowledge. Legislative efforts, such as the PIVOTT Act, aim to rapidly train individuals for cybersecurity roles, addressing the significant talent gap in the field.

WhatsApp has introduced a new feature called Private Processing, enabling AI capabilities while maintaining message privacy. This technology allows users to process messages securely within a confidential virtual machine (CVM), ensuring that no third party, including Meta, can access the data. Key principles include enforceable guarantees, verifiable transparency, and non-targetability. Meta acknowledges potential vulnerabilities but emphasizes a defense-in-depth strategy. The feature is expected to roll out in the coming weeks.

WhatsApp introduced 'Private Processing,' allowing users to access AI features like message summarization via privacy-preserving cloud servers. This opt-in feature ensures user anonymity through anonymous authentication and public HPKE encryption keys. Data is processed in a Confidential Virtual Machine (CVM), with all messages deleted post-processing. Meta plans to share the CVM binary for external validation. Users concerned about data privacy should keep the feature disabled, while 'Advanced Chat Privacy' offers additional control.

The French foreign ministry has attributed 12 cyberattacks on French organizations over the past four years to the Russian APT28 hacking group, linked to the GRU. The attacks targeted various entities, including government and defense organizations. The French National Agency for the Security of Information Systems (ANSSI) noted APT28's use of low-cost infrastructure for phishing and intelligence theft. France condemned these actions and emphasized its commitment to countering Russia's cyber threats.

France's Foreign Ministry has publicly accused Russia of orchestrating a decade of cyberattacks, attributed to the APT28 hacking group, aimed at destabilizing the country and gathering intelligence. Notable incidents include the 2015 hijacking of a TV broadcast and the 2017 leak of President Macron's emails. Since 2021, attacks have intensified against various sectors, including government and finance. France revealed the location of one APT28 unit, signaling its cyber defense capabilities amid ongoing geopolitical tensions.

The French government has publicly attributed several cyberattacks to Russia's GRU military intelligence, marking a significant policy shift. Notable incidents include the MacronLeaks, the TV5 hack, and disruptions related to the 2024 Paris Olympics. French officials condemned these actions as unacceptable for a UN Security Council member. This attribution aligns with France's ongoing cybersecurity research and aims to bolster its leadership in Europe amid rising tensions and potential new sanctions against Russia.

France has accused the Russian cyber espionage group APT28 (Fancy Bear) of breaching at least 12 French organizations, including defense firms and government agencies, over the past four years. The French Foreign Ministry condemned these actions as attempts to destabilize the state, particularly amid rising geopolitical tensions following the Ukraine invasion. France vowed to use all means to counter Russia's cyber threats, highlighting APT28's ongoing attacks on European entities and critical infrastructure.

A collection of vulnerabilities known as "AirBorne" exposed millions of AirPlay-enabled devices to potential hacking over Wi-Fi. Threat actors could execute code on devices like smart TVs and speakers connected to the same network. While Apple has patched these vulnerabilities on its devices, many third-party smart home devices remain unpatched, posing ongoing risks. Users are advised to keep devices updated and use strong, unique passwords to mitigate potential threats.

A set of 23 vulnerabilities in Apple's AirPlay Protocol and SDK, collectively termed "AirBorne," allows for zero-click remote code execution (RCE) attacks, man-in-the-middle attacks, and denial of service. Discovered by Oligo Security, these flaws can be exploited on the same network, potentially compromising multiple devices. Apple released security updates on March 31 for various devices. Users are advised to update their devices and restrict AirPlay access to mitigate risks.

Cybersecurity firm Oligo identified vulnerabilities in Apple’s AirPlay protocol, dubbed “AirBorne,” which could allow malware to spread across local networks. Two vulnerabilities are “wormable,” enabling remote code execution (RCE) and access to sensitive information. Risks extend to CarPlay devices, where attackers could exploit weak Wi-Fi passwords. Apple has patched the issues, but third-party devices remain at risk, as Apple does not control their patching process.

Security researchers identified 23 vulnerabilities in Apple's AirPlay protocol, collectively named "AirBorne," which could enable remote code execution (RCE), man-in-the-middle, and denial of service attacks. Notably, CVE-2025-24252 and CVE-2025-24132 allow RCE, while CVE-2025-24206 bypasses user interaction requirements. Apple has patched these flaws in iOS, iPadOS, macOS, and visionOS. The vulnerabilities affect approximately 2.35 billion devices, posing significant risks for enterprise networks.

Security firm Oligo identified 23 vulnerabilities in Apple’s AirPlay feature, named “Airborne,” allowing hackers to hijack devices on public Wi-Fi. Apple has patched 17 of these flaws across its platforms, but many third-party devices remain unprotected. The vulnerabilities could lead to malware spread, data theft, or ransomware attacks. Oligo recommends updating all Apple devices, disabling AirPlay Receiver on Macs, and limiting AirPlay access to enhance security.

A collection of vulnerabilities named AirBorne affects millions of AirPlay-enabled devices, allowing hackers to exploit them via Wi-Fi. Researchers from Oligo revealed that flaws in the AirPlay SDK could enable unauthorized access to speakers, TVs, and other devices on the same network. While Apple has patched vulnerabilities in its devices, many third-party devices remain unpatched. Users are urged to update their devices to mitigate risks, as hackers could gain control and use them for further attacks.

In a report from Google, zero-day vulnerability exploitation decreased in 2024 compared to 2023, attributed to improved secure software development practices. However, there is a gradual increase in exploitation rates over time. Notably, 44% of zero-day exploits targeted enterprise platforms, up from 37% in 2023, with 60% of these affecting security and networking products. Government-backed cyber espionage accounted for 29% of exploitations, with North Korea and China equally responsible for incidents.

In 2024, Google reported 75 zero-day vulnerabilities exploited, a decrease from 97 in 2023, with over 50% linked to spyware attacks. Cyber-espionage actors, including China and North Korea, were significant contributors. End-user platforms accounted for 56% of exploits, with Windows zero-days rising to 22. Notable enterprise vulnerabilities included those in Ivanti and Cisco products. Analysts noted a shift towards targeting enterprise software, emphasizing the need for proactive security measures from vendors.

Google reported 75 zero-day vulnerabilities exploited in 2024, a decrease from 98 in 2023, with 44% targeting enterprise products. Notably, 20 flaws affected security software from vendors like Ivanti and Cisco. Microsoft Windows had the highest count with 22 exploited flaws. Six threat activity clusters were identified, including state-sponsored espionage and financially motivated groups. Google also discovered exploit chains targeting users via malicious JavaScript and vulnerabilities in Firefox and Tor browsers.

In 2024, 75 zero-day vulnerabilities were exploited, a decrease from 98 in 2023 but an increase from 63 in 2022. Over 50% were linked to cyberespionage, primarily by state-sponsored groups from China and North Korea. Enterprise tech remains a prime target, with 44% of zero-days affecting these products, notably Ivanti, Palo Alto Networks, and Cisco. The underground market for zero-days is thriving, prompting calls for improved vulnerability management and proactive security practices among vendors.

In 2024, Google reported 75 zero-day vulnerabilities exploited in the wild, down from 98 in 2023. Cyber espionage remains the primary motivation, with China, Russia, and North Korea leading the exploitation efforts. Notably, 33 of the zero-days targeted enterprise software and appliances, particularly from Ivanti, Palo Alto Networks, and Cisco. Google warns that attackers are increasingly focusing on security products, which can lead to extensive system compromises. Recommendations include improving configurations to limit vulnerabilities.

In 2024, Google’s Threat Intelligence Group reported 75 zero-day vulnerabilities, primarily exploited by state-sponsored actors, notably from China and North Korea. The number of zero-days decreased from 98 in 2023, but exploitation rates continue to rise. Notably, 44% targeted enterprise technologies, especially security software, with government-backed groups responsible for over 50% of attributed vulnerabilities. Windows exploits increased to 22, while Safari and iOS saw declines.

Abuse of zero-day vulnerabilities has decreased between 2023 and 2024 due to improved software development practices, according to Google's Threat Intelligence Group. While there is a decline in exploits against web browsers and mobile devices, an increase is anticipated as threat actors target enterprise platforms, which account for 60% of exploits. Most attacks in 2024 are attributed to state-backed cyberespionage groups, with North Korea and China showing similar exploit rates for the first time.

CISA warns that vulnerabilities in Broadcom Brocade Fabric OS (CVE-2025-1976), Commvault web servers (CVE-2025-3928), and Qualitia Active! Mail (CVE-2025-42599) are actively exploited. The Fabric OS flaw allows arbitrary code execution with admin access, fixed in version 9.1.1d7. The Commvault flaw enables remote webshell planting by authenticated attackers, addressed in multiple versions. The Active! Mail buffer overflow affects all versions up to 6.60.05008561, with a fix in 6.60.06008562. Deadlines for applying fixes are May 17 and May 19, 2025.

Ongoing attacks are exploiting a critical vulnerability in Qualitia's Active! mail 6 (CVE-2025-42599) allowing remote code execution or denial-of-service. Additionally, two high-severity vulnerabilities in Commvault (CVE-2025-3928) and Broadcom Brocade Fabric OS (CVE-2025-1976) have been identified, enabling webshells for instance compromise and command execution, respectively. CISA recommends remediation by May 17, following their addition to the Known Exploited Vulnerabilities catalog.

Former CISA Director Chris Krebs criticized the Trump administration's cybersecurity cutbacks, including workforce reductions at CISA, calling for outrage from the cybersecurity community. He warned that these downsizing efforts would weaken defenses against Chinese state-sponsored threats like Salt Typhoon, Volt Typhoon, and Flax Typhoon, which have already compromised U.S. telecommunications and critical infrastructure. Krebs emphasized the need for more cybersecurity personnel and resources to enhance national defenses.

Jen Easterly, former CISA chief, criticized personnel and budget cuts at CISA under the Trump administration, emphasizing that loyalty to the President over the Constitution undermines national cybersecurity. Speaking at the RSA Conference, she highlighted that CISA's election security budget was only $45 million of its $3 billion total. Easterly warned that these cuts jeopardize U.S. cybersecurity amid increasing threats, including cybercrime and foreign infiltration of critical infrastructure.

Dozens of cybersecurity experts urged President Trump to abandon the investigation of former CISA Director Chris Krebs, calling it retribution for his assertion that the 2020 election was secure. Organized by the Electronic Frontier Foundation, the letter highlights concerns about the chilling effect on election security efforts and emphasizes the need for independent cybersecurity professionals to operate without political pressure. The signatories stress the importance of truthful reporting in securing systems.

An open letter from the Electronic Frontier Foundation and 40 cybersecurity leaders urges President Trump to cease his investigation into Chris Krebs, former head of CISA, arguing it undermines cybersecurity efforts. The letter claims Trump's actions threaten the independence of cybersecurity professionals and their ability to report truthfully. Krebs, who was fired after asserting the 2020 election's security, recently resigned from SentinelOne, stating he will continue to fight for democracy and free speech.

On April 26, 2025, Hitachi Vantara confirmed a ransomware attack attributed to the Akira ransomware operation, leading to significant disruptions in its systems. The company took down parts of its infrastructure to contain the incident and is working with third-party experts to restore services. Sensitive files were reportedly stolen, and a ransom is being demanded. While cloud services remained unaffected, the attack impacted both Hitachi Vantara and Hitachi Vantara Manufacturing systems.

Hitachi Vantara experienced a cyberattack attributed to the Akira ransomware gang, disrupting its servers over the weekend. The incident involved file exfiltration, prompting an investigation with external cybersecurity experts. While the attack impacted Hitachi Vantara Manufacturing, customers with self-hosted environments retained data access. Reports indicate that government organizations' projects were also affected. The Akira group has compromised over 300 organizations globally and has collected nearly $42 million in ransom payments as of April 2024.

Multiple cybersecurity threats have targeted firms like SentinelOne, including intrusions from Chinese state-backed operations and ransomware gangs attempting to infiltrate their security tools. North Korean hackers launched a fake IT worker campaign against SentinelOne, using 360 fraudulent personas and 1,000 job applicants. Researchers emphasize that compromising a security company can provide adversaries with insights into the protection of numerous environments and endpoints, making cybersecurity vendors attractive targets.

SentinelOne reported a cyber-espionage campaign by Chinese state-sponsored actors targeting the company and its clients, including Fortune 10 and Global 2000 enterprises. The company identified 360 fake personas linked to North Korean operations applying for jobs. The threat actor group, PurpleHaze, was noted for reconnaissance attempts against SentinelOne's infrastructure and clients, utilizing an operational relay box network and the GoReShell Windows backdoor.

SentinelOne's report reveals a surge in attacks targeting security vendors, particularly from North Korean IT workers using fake identities to apply for jobs. The company tracked 360 fake personas and over 1,000 applications, adapting its recruitment process to identify threats. SentinelOne's CISO speculated that its prominence in the crypto industry makes it a target. The report highlights the need for collaboration between security researchers and public sector partners to combat these threats effectively.

In March 2023, Citizen Lab reported that unknown hackers targeted leaders of the exiled Uyghur community using Windows spyware. The campaign involved phishing emails impersonating trusted contacts, leading to a malicious Uyghur language text editor. Google alerted some members of the World Uyghur Congress (WUC) about the hacking. While the attack lacked sophisticated exploits, it demonstrated effective social engineering tailored to the target community.

In March 2023, Citizen Lab reported that unknown hackers targeted leaders of the exiled Uyghur community using Windows spyware. The campaign involved a phishing email impersonating a trusted contact, containing a malicious Uyghur language text editor. Google alerted some members of the World Uyghur Congress about the hacking, prompting further investigation. While the attack lacked sophisticated exploits, it demonstrated significant social engineering skills by the attackers.

Researchers at Citizen Lab identified a phishing campaign targeting Uyghur individuals abroad, involving a compromised version of the Uyghur text editor UyghurEditPP. The malware included a backdoor for data exfiltration and further malware installation. The attack exploited trust through impersonation of a partner organization. While the targeted members were warned by Google and did not fall for the phishing attempt, the incident highlights the attackers' understanding of the community and raises concerns about future threats.

In March 2025, a malware attack targeted senior members of the World Uyghur Congress using a trojanized version of UyghurEdit++, a legitimate tool. The spear-phishing campaign involved emails impersonating trusted contacts, leading to a password-protected RAR archive download. The malware, capable of system profiling and command execution, aimed to surveil Uyghurs in exile. The attack is believed to be linked to the Chinese government, reflecting ongoing transnational repression efforts against the Uyghur diaspora.

A spear-phishing campaign targeting senior members of the World Uyghur Congress was discovered in early March, involving Windows-based surveillance malware. Suspected Chinese state-backed actors impersonated a contact to send emails with Google Drive links that led to a trojanized UyghurEdit++ word processing tool. This spyware conducted system profiling and retrieved illicit plugins. The campaign aims to control Uyghurs' ties to their homeland and influence global perceptions of China's policies in Xinjiang.

VeriSource Services reported a data breach affecting 4 million individuals, with the incident occurring on February 27, 2024. The breach exposed sensitive personal information, including names, addresses, dates of birth, gender, and Social Security numbers. Notifications began on April 23, 2025, after an investigation revealed unauthorized access. VeriSource is offering 12 months of credit monitoring and identity protection to those affected. Previous notifications were sent to 55,000 and 112,000 individuals in 2024.

VeriSource confirmed a data breach in February 2024 affecting at least four million accounts, compromising personal information such as names, addresses, dates of birth, gender classification, and Social Security numbers. The breach was detected on February 28, 2024, prompting an investigation with cybersecurity experts. VSI notified affected individuals by April 17, 2025, and is offering complimentary identity protection services. The method of breach and data encryption status remain undisclosed.

VeriSource has increased the estimated number of victims in its February 2024 data breach to four million, up from 55,000. The breach involved the theft of names, addresses, dates of birth, gender information, and Social Security numbers. The company reported the incident to Maine's Attorney General and began notifying affected individuals. No evidence of misuse has been found, and the data has not appeared on the dark web. VeriSource is offering 12 months of free credit monitoring and identity theft protection to victims.

Iran reported repelling a significant cyberattack on its critical infrastructure, disclosed by Behzad Akbari of the Telecommunication Infrastructure Company. The attack's origins remain unclear, with speculation about potential involvement from Israel or other actors. Security experts caution against premature conclusions, noting the possibility of the incident being exaggerated or a diversion from other events. The attack highlights a trend toward aggressive cyber operations targeting national infrastructure, indicating a shift in geopolitical cyber strategies.

Iran's cybersecurity experts successfully thwarted a "widespread and complex" cyberattack against the nation's critical infrastructure, as reported by Behzad Akbari of the Telecommunication Infrastructure Company. The attack's origin remains unconfirmed, and details about the incident are scarce. This follows a recent explosion at Shahid Rajaei port, which resulted in significant casualties, though no link between the two events has been established. National infrastructure remains a prime target amid rising geopolitical tensions.

Dame Rachel de Souza, the children's commissioner for England, is urging a government ban on AI apps that create sexually explicit images of children, highlighting the dangers of "nudification." She noted that these technologies disproportionately target girls and young women, causing them to alter their online behavior for safety. While the government has laws against sharing explicit deepfake images, Dame Rachel argues that current measures are insufficient and calls for a complete ban on such apps.

The Children’s Commissioner, Dame Rachel de Souza, urges the government to ban AI apps that generate sexually explicit deepfake images of children. Her report highlights the misuse of Generative AI, which poses significant risks to children's safety and well-being online. Despite the illegality of creating such images, the technology remains accessible. Recommendations include banning these apps, imposing legal responsibilities on developers, and establishing systems to remove harmful content from the internet.

A new phishing campaign targeting WooCommerce users has been identified by Patchstack. The attackers send emails claiming a "critical vulnerability" needs immediate fixing, providing a "Download Patch" link that installs a malicious WordPress plugin. This plugin creates a rogue admin account, hides itself, and deploys additional malware, including web shells. Users are advised to scan for suspicious plugins and admin accounts and ensure their WordPress and plugins/themes are updated.

WooCommerce users faced a phishing campaign involving malware spread through fake security alerts. Malicious emails warned of an "unauthenticated administrative access" vulnerability, leading to a fraudulent patch download from a deceptive site. This resulted in the use of WordPress hooks to create hidden administrators and deploy obfuscated PHP web shells, enabling total server compromise for ad injections, billing data theft, and potential ransomware and DDoS attacks. The campaign may evolve as domains are flagged.